Does a Domain have to be proxied in order for WAF (Firewall rules) to work?

The videos and documentation for WAF seem to only refer to a domain existing, not whether it is proxied or not as a pre-requisite to implementing Firewall Rules.

I assume that in order to enforce a Firewall rule then the returned address for the protected resource would be a proxy within Cloudflare so as to enforce the rule.

Is it the case that once a rule is enabled then this “Enforcement Proxy” is enabled by default?


Mike M

A site needs to be Proxied :orange: for WAF to work. Otherwise, those connections will go directly to the IP address (your server) in DNS.


Thanks for your reply. It probably would not be a bad idea for there to be some kind of warning prior to enabling a rule that the domain needs to be proxied. I know it seems like a no brainer but it’s easy to assume that there is some kind of automagic that takes care of proxy requirements for rule enforcement as soon as you turn a rule on.

All Cloudflare features need orangeclouded DNS records (proxy) to work.


Almost all. I believe Load Balancer is the exception.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Ah yes you are correct. However, that is also comes with a note

In DNS-Only mode, you can configure load balancers to set a TTL from 30 seconds to 10 minutes. Cloudflare will serve the addresses of the (healthy) origin servers directly but relies on DNS resolvers respecting the short TTL to re-query Cloudflare’s DNS for an updated list of healthy addresses. Traffic for domains using DNS-Only mode is routed based on the data center associated with the user’s recursive resolver (DNS recursor).

We can’t guarantee (CDN wise) to have the content served from specific location.

1 Like